In-vehicle communication system

ABSTRACT

An in-vehicle communication system includes a gateway that relays communication between an external apparatus and an in-vehicle LAN; and a communication permission determination unit that inhibits communication between the external apparatus and the in-vehicle LAN through the gateway if it is determined that a vehicle having the in-vehicle LAN mounted therein is in a parking state based on acquired predetermined vehicle information.

This is a Continuing Application of U.S. application Ser. No.14/931,155, filed Nov. 3, 2015, which claims the benefit of JapanesePatent Application No. 2014-226318, filed on Nov. 6, 2014. Thedisclosure of the prior applications is hereby incorporated by referenceherein in its entirety.

BACKGROUND OF THE INVENTION 1. Field of the Invention

The present invention relates to an in-vehicle communication system thatincludes a gateway for relaying communication between an externalapparatus and an in-vehicle LAN.

2. Description of Related Art

Conventionally, for use in an in-vehicle gateway that transfers data, atechnology (data filtering technology) is known that determines whetherto transfer data according to the contents of data or the state of thevehicle (for example, Japanese Patent Application Publication No.2002-16614 (JP 2002-16614 A)).

Japanese Patent Application Publication No. 2002-16614 (JP 2002-16614A)) describes that unauthorized access is prevented by not allowingincomplete data or illegal data from passing through the gateway.Japanese Patent Application Publication No. 2002-16614 (JP 2002-16614A)) also describes that the amount of data is limited according to thevehicle state (for example, power state, traveling state, or parkingstate, etc.,).

However, when data is filtered according to the contents of data asdescribed in Japanese Patent Application Publication No. 2002-16614 (JP2002-16614 A)), legal data and illegal data cannot be distinguisheddepending upon the data that is transferred, sometimes with thepossibility that unauthorized access by a malicious third party ispermitted. In addition, the primary purpose of limiting the amount ofdata according to the vehicle state, as described in Japanese PatentApplication Publication No. 2002-16614 (JP 2002-16614 A)), is to reservethe traffic. This means that there is room for improvement from theviewpoint of preventing unauthorized access by a malicious third party.

SUMMARY OF THE INVENTION

The invention provides an in-vehicle communication system that can morereliably prevent a malicious third party from making unauthorized accessto an in-vehicle LAN through a gateway when communication between anexternal apparatus and the in-vehicle LAN is relayed through thegateway.

An in-vehicle communication system in one aspect of the presentinvention includes a gateway that is configured to relay communicationbetween an external apparatus and an in-vehicle LAN; and a communicationpermission determination unit that is configured to inhibitcommunication between the external apparatus and the in-vehicle LANthrough the gateway if it is determined that a vehicle having thein-vehicle LAN mounted therein is in a parking state based on acquiredpredetermined vehicle information.

According to this aspect of the present invention, the in-vehiclecommunication system can be provided that can more reliably prevent amalicious third party from making unauthorized access to the in-vehicleLAN through the gateway when communication is relayed between theexternal apparatus and the in-vehicle LAN through the gateway.

BRIEF DESCRIPTION OF THE DRAWINGS

Features, advantages, and technical and industrial significance ofexemplary embodiments of the invention will be described below withreference to the accompanying drawings, in which like numerals denotelike elements, and wherein:

FIG. 1 is a general configuration diagram showing an example of theconfiguration of an in-vehicle communication system;

FIG. 2 is a flowchart showing an example of communication permissiondetermination processing performed by an in-vehicle communication system(gateway ECU) in a first embodiment;

FIG. 3 is a flowchart showing an example of communication permissiondetermination processing performed by an in-vehicle communication system(gateway ECU) in a second embodiment;

FIG. 4 is a flowchart showing an example of failure determinationprocessing performed for the acquisition sources (ECUs) of vehicleinformation; and

FIG. 5 is a flowchart showing an example of communication permissiondetermination processing performed by an in-vehicle communication system(gateway ECU) in a third embodiment.

DETAILED DESCRIPTION OF EMBODIMENTS

Embodiments of the present invention are described below with referenceto the drawings.

First Embodiment

First, the configuration of an in-vehicle communication system 1 in thisembodiment is described below.

FIG. 1 is a general configuration diagram showing an example of theconfiguration of the in-vehicle communication system 1 in thisembodiment. The in-vehicle communication system 1, mounted in a vehicle100, is configured to allow diagnostic communication to be carried outbetween an external apparatus 25, connected to the vehicle 100, and anin-vehicle LAN 30 (ECUs connected to the in-vehicle LAN 30).

The “diagnostic communication” refers to communication in which arequest to send self-diagnostic information (information that iscollected by each ECU 40 to describe the failure diagnosis of the ECU 40itself or its subordinate sensors and actuators) is sent from theexternal apparatus 25 to each ECU 40 and, in response to the request,the self-diagnostic information is sent from each ECU 40 to the externalapparatus 25. For example, the “self-diagnostic information” includesDiagnostic Trouble Code (DTC) and the data detected by various sensors(Freeze Frame Data (FFD)).

As shown in FIG. 1, the in-vehicle communication system 1 includes agateway ECU 10, an external bus 20, the external apparatus 25, thein-vehicle LAN 30, and the ECUs 40.

The gateway Electronic Control Unit (ECU) 10 is an example of acommunication relay unit that physically separates the external bus 20,to which the external apparatus 25 is connected, and the in-vehicle LAN30 and, at the same time, relays diagnostic communication between theexternal apparatus 25, connected to the external bus 20, and thein-vehicle LAN 30. The gateway ECU 10 converts data from one medium orto another or from one protocol to another on the network to allow thediagnostic communication to be carried out. In addition, the gateway ECU10 performs various types of control processing for the data relay (datatransfer) between the external apparatus 25 and the in-vehicle LAN 30.The gateway ECU 10, configured by a microcomputer, may execute variousprograms, stored in the ROM, on the CPU to perform various types ofcontrol processing.

The gateway ECU 10 includes the following two functional units: gatewayunit 11 and communication permission determination unit 12. When thegateway ECU 10 is configured by a microcomputer, the gateway unit 11 andthe communication permission determination unit 12 may be eachimplemented by executing the corresponding program on the CPU.

The gateway unit 11 is a unit that transfers data between the externalapparatus 25 and each of the ECUs 40 in the in-vehicle LAN 30. Thegateway unit 11 converts data from one medium to another or from oneprotocol to another between the external apparatus 25 and the in-vehicleLAN 30 (each ECU 40 in the in-vehicle LAN 30) to carry out two-waycommunication. For example, the gateway unit 11 receives a communicationframe, which requests the transmission of self-diagnostic information,from the external apparatus 25, converts the frame to the datacompatible with the in-vehicle LAN 30 (ECU 40 in the in-vehicle LAN 30),and sends the converted data to the corresponding ECU 40 over thein-vehicle LAN 30. Similarly, the gateway unit 11 receives acommunication frame, which describes the self-diagnostic information,from each ECU 40, converts the communication frame to the datacompatible with the external apparatus 25, and sends the converted datato the external apparatus 25 via the external bus 20.

The communication permission determination unit 12 is a unit(communication permission determination unit) that determines whether topermit data transfer between the external apparatus 25 and thein-vehicle LAN 30 (each ECU 40 in the in-vehicle LAN 30). If thecommunication permission determination unit 12 permits data transferbetween the external apparatus 25 and the in-vehicle LAN 30 (each ECU 40in the in-vehicle LAN 30), the gateway unit 11 transfers data betweenthe external apparatus 25 and the in-vehicle LAN 30. Conversely, if thecommunication permission determination unit 12 does not permit(inhibits) data transfer between the external apparatus 25 and thein-vehicle LAN 30 (each ECU 40 in the in-vehicle LAN 30), the gatewayunit 11 does not transfer data between the external apparatus 25 and thein-vehicle LAN 30. The processing performed by the communicationpermission determination unit 12 will be described later in detail.

In this embodiment, though the gateway unit 11 and the communicationpermission determination unit 12 are implemented as the function of thesame gateway ECU 10, the function of the communication permissiondetermination unit 12 may also be provided outside the gateway ECU 10(gateway unit 11). That is, the function of the gateway unit 11 and thecommunication permission determination unit 12 may be provided by thefollowing two devices: one is the relay device (gateway) that relayscommunication between the external apparatus 25 and the in-vehicle LAN30 and the other is the processing device, provided separately from therelay device, that has the function of the communication permissiondetermination unit 12.

The external bus 20 is provided to connect the gateway ECU 10 and theexternal apparatus 25. The external bus 20 has a vehicle-side connector20 c to which the external apparatus 25 can be connected.

The vehicle-side connector 20 c may be in any mode (form, specification)as long as the external apparatus 25 can be connected to the vehicle 100(external bus 20). For example, the vehicle-side connector 20 c may be aDCL3 connector for failure diagnosis.

The external apparatus 25 is a device, connected to the vehicle 100, hasthe program rewriting function that acquires the self-diagnosticinformation from each ECU mounted on the vehicle and rewrites theprogram of the failure diagnosis function for failure diagnosis and theprogram of each ECU 40. By connecting an external-apparatus-sideconnector 25 c, provided at the tip of the communication cord extendedfrom its main body, to the vehicle-side connector 20 c, the externalapparatus 25 is connected to the gateway ECU 10 so that communicationcan be carried out between them.

The in-vehicle LAN 30, an in-vehicle network mounted in the vehicle 100,may be a network conforming to the communication standard such asController Area network (CAN), Local Interconnect Network (LIN), andFlexRay. The in-vehicle LAN 30 connects the electronic control units(ECUs 40), which perform various control processing for the vehicle 100,via the bus to form the network. This network allows the signals,detected by various sensors subordinate to each of the ECUs 40, to beshared among the ECUs 40. As shown in FIG. 1, the in-vehicle LAN 30 hasthe configuration in which the ECUs 40, each connected to thecorresponding bus, are connected via the gateway ECU 10. The in-vehicleLAN 30 may have a configuration in which the ECUs 40 and the gateway ECU10 are connected to one bus.

The ECUs 40, each of which is an electronic control unit connected tothe in-vehicle LAN 30 to perform predetermined control processing in thevehicle 100, may have various subordinate sensors and actuators requiredfor the control contents. As shown in FIG. 1, the ECUs 40 include ECUs40A, 40B, 40C, and 40D each connected to the bus extended from thegateway ECU 10.

Each of the ECUs 40 (40A to 40D) has the function (self-diagnosticfunction) to perform the failure diagnosis of itself and its subordinatesensors and actuators and stores the self-diagnostic result in theinternal memory. In response to a self-diagnostic information sendingrequest from the external apparatus 25, the ECU 40 sends theself-diagnostic information via the gateway ECU 10. The ECU 40 (40A to40D) may store the detection data (detection signal) on its subordinatesensors, together with the failure diagnosis result, into the internalmemory.

In this embodiment, the ECU 40A is an electronic control unit thatcontrols the engine mounted in the vehicle 100. The ECU 40A isconfigured to be able to store the information on the fuel consumptionof the vehicle 100 (fuel consumption information) in the internal memoryand, in response to a sending request from the external apparatus 25, tosend the fuel consumption information. The “fuel consumptioninformation” may include the information on the engine rotation speedand the fuel injection amount detected by the sensors subordinate to theECU 40A.

In this embodiment, the ECU 40B is an electronic control unit thatcontrols the door locking/unlocking of the vehicle 100. The ECU 40B isconfigured to be able to generate the parking state signal, whichindicates whether “all doors of the vehicle 100 are closed and lockedthrough the wireless key operation or the smart key operation”, and tosend the generated parking state signal to the gateway ECU 10 via thein-vehicle LAN 30. The ECU 40B may also find that the doors are lockedthrough the wireless key operation or the smart key operation byreceiving the signal from the ECU 40C that, as described below,authenticates the wireless key or the smart key by comparing the IDcodes via two-way communication. In addition, the ECU 40B may acquirethe signal, corresponding to the door open/close state, from thesubordinate door courtesy switch.

In this embodiment, the ECU 40C is an electronic control unit thatauthenticates the wireless key or the smart key. The ECU 40C isconfigured to be able to send the smart key detection state signal,which indicates whether the smart key is detected in the passengerspace, to the gateway ECU 10 via the in-vehicle LAN 30. As describedabove, the ECU 40C authenticates the wireless key or the smart key bycomparing the ID codes via two-way communication. The ECU 40C may alsodetect the smart key in the passenger space by receiving the responsesignal from the smart key, which corresponds to the request signal andis sent via the subordinate in-vehicle transmitter (not shown), and thenby authenticating the smart key.

In this embodiment, the ECU 40D is an electronic control unit thatcontrols the security (vehicle theft prevention) function (function toactivate the horn (not shown) or the indicator (not shown) upondetection of an illegal entry into the passenger space and to issue awarning). The ECU 40D is configured to be able to send the caution statesignal, which indicates whether the vehicle 100 is in the securitycaution state, and the warning state signal, which indicates that thevehicle 100 is in the warning state, to the gateway ECU 10 via thein-vehicle LAN 30. The “security caution state” refers to the state inwhich the security function described above is enabled. When all doorsof the vehicle 100 are locked through the smart key operation, the ECU40D may place the vehicle 100 in the security function enabled state.The “security warning state” refers to the state in which an illegalentry into the passenger space is detected in the security caution stateand the horn or the indicator is activated to issue a warning.

The number of ECUs 40 in the in-vehicle LAN 30 is exemplary, and anynumber of ECUs 40 may be included in the in-vehicle LAN 30, each as anode. The controlled objects and the control contents of each ECU 40(40A-40D) in the in-vehicle LAN 30 described above are exemplary, andthe controlled objects and control contents of each ECU 40 included inthe in-vehicle LAN 30 are arbitrary.

Next, the communication permission determination processing performed bythe in-vehicle communication system 1 (gateway ECU 10) in thisembodiment is described below.

FIG. 2 is a flowchart showing an example of the communication permissiondetermination processing performed by the in-vehicle communicationsystem 1 (gateway ECU 10) in this embodiment. This flow is executed eachtime either a communication frame from the external apparatus 25 to thein-vehicle LAN 30 or a communication frame from each ECU 40 in thein-vehicle LAN 30 to the external apparatus 25 is input to the gatewayECU 10.

In step S101, the communication permission determination unit 12determines whether the vehicle 100 is in the parking state. If it isdetermined that the vehicle 100 is in the parking state, the processingof the communication permission determination unit 12 proceeds to stepS102. If it is determined that the vehicle 100 is not in the parkingstate, the processing of the communication permission determination unit12 proceeds to step 103.

The “parking state” refers to the state in which the vehicle 100 isparked while the owner or a person equivalent to the owner (for example,a member of the owner's family or a dealer's officer at work) is notpresent around the vehicle 100. In other words, the “parking state”refers to the state in which a malicious third party is likely to makeunauthorized access to the in-vehicle LAN 30.

The communication permission determination unit 12 determines that thevehicle 100 is in the parking state if any of the following fourconditions is satisfied.

(1) The caution state signal indicates the security caution state of thevehicle 100.

That is, the security function is enabled, as described above, when thevehicle 100 is parked with the owner or the person equivalent to theowner away from the vehicle 100 after all doors of the vehicle 100 arelocked through the smart key operation. Therefore, the communicationpermission determination unit 12 can determine that the vehicle 100 isin the parking state by receiving the caution state signal, whichcorresponds to the security caution state of the vehicle 100, from theECU 40D.

(2) The warning state signal indicates the security warning state of thevehicle 100.

That is, the communication permission determination unit 12 candetermine that the vehicle 100 is in the parking state, as in (1)described above, by receiving the warning state signal, whichcorresponds to the warning state that is caused when an illegal entry isdetected in the security caution state, from the ECU 40D.

(3) The parking state signal indicates the “state in which all doors ofthe vehicle 100 are closed and locked through the wireless key operationor the smart key operation”.

That is, the “state in which all doors of the vehicle 100 are closed andlocked through the wireless key operation or the smart key operation”corresponds the state in which the vehicle 100 is parked with the owneror the person equivalent to the owner away from the vehicle 100.Therefore, the communication permission determination unit 12 candetermine whether the vehicle 100 is in the parking state by receivingthe parking state signal from the ECU 40B.

(4) The smart key detection state signal indicates that the smart key isnot detected in the passenger space.

That is, the state in which the smart key is not detected in thepassenger space corresponds to the state in which the vehicle 100 isparked with the owner or the person equivalent to the owner away fromthe vehicle 100. Therefore, the communication permission determinationunit 12 can determine whether the vehicle 100 is in the parking state byreceiving the smart key detection state signal from the ECU 40C.

When determining whether the vehicle 100 is in the parking state, thecommunication permission determination unit 12 may determine that thevehicle 100 is in the parking state not only if any of the fourconditions described above is satisfied but also if the condition, inwhich the ignition switch (not shown) of the vehicle 100 is turned off(IG-OFF state), is satisfied.

In step S102, the communication permission determination unit 12inhibits the relay (transfer) of a communication frame from the externalapparatus 25 to the in-vehicle LAN 30 or from the in-vehicle LAN 30 tothe external apparatus 25. In response, the gateway unit 11 discards thecommunication frame.

On the other hand, in step S103, the communication permissiondetermination unit 12 permits the relay (transfer) of a communicationframe from the external apparatus 25 to the in-vehicle LAN 30 or fromthe in-vehicle LAN 30 to the external apparatus 25. In response, thegateway unit 11 relays (transfers) the communication frame.

As described above, if it is determined that the vehicle 100 is in theparking state, the in-vehicle communication system 1 in this embodimentinhibits the relay (transfer) of a communication frame between theexternal apparatus 25 and the in-vehicle LAN 30. If it is determinedthat the vehicle 100 is not in the parking state, the in-vehiclecommunication system 1 permits the relay. This reliably prevents amalicious third party from making unauthorized access to the in-vehicleLAN 30 (each ECU 40 in the in-vehicle LAN 30).

That is, when the vehicle 100 is in the parking state, the owner or theperson equivalent to the owner is away from the vehicle 100 and it isnot likely that authorized access is made from the external apparatus 25to the in-vehicle LAN 30. If such access is made, there is highpossibility that the access is unauthorized access. Therefore,inhibiting communication between the external apparatus 25 and thein-vehicle LAN 30 when the vehicle 100 is in the parking state canreliably prevent a malicious third party from making unauthorized accessto the in-vehicle LAN 30.

Second Embodiment

Next, a second embodiment is described below.

An in-vehicle communication system 1 in this embodiment differs from thein-vehicle communication system 1 in the first embodiment in that thesystem determines whether communication between the external apparatus25 and the in-vehicle LAN 30 is permitted based on whether a failure isdetected in the acquisition source of the vehicle information(information about the state of the vehicle 100) that is used fordetermining whether the vehicle 100 is in the parking state. Thefollowing describes this embodiment with emphasis on the description ofthe elements different from those in the first embodiment, using thesame reference numeral to denote the same element in the firstembodiment.

The configuration of the in-vehicle communication system 1 in thisembodiment is shown in FIG. 1 as in the first embodiment and, therefore,the description is omitted.

FIG. 3 is a flowchart showing an example of communication permissiondetermination processing performed by the in-vehicle communicationsystem 1 (gateway ECU 10) in this embodiment. This flow is executed eachtime either a communication frame from the external apparatus 25 to thein-vehicle LAN 30 or a communication frame from each ECU 40 in thein-vehicle LAN 30 to the external apparatus 25 is input to the gatewayECU 10.

In step S201, the communication permission determination unit 12determines whether a failure is detected in the acquisition source ofthe vehicle information that is used in step S202 described below todetermine whether the vehicle 100 is in the parking state. If it isdetermined that a failure is not detected in the acquisition source ofthe vehicle information, the processing of the communication permissiondetermination unit 12 proceeds to step S202. If it is determined that afailure is detected in the acquisition source of the vehicleinformation, the processing of the communication permissiondetermination unit 12 proceeds to step S204.

In this embodiment, if a failure is detected in none of the acquisitionsources of the vehicle information used for determining whether thevehicle 100 is in the parking state, the processing proceeds to stepS202. If a failure is detected in at least one of the acquisitionsources of the vehicle information, the processing proceeds to stepS204. However, it is also possible that the processing proceeds to stepS202 if a failure is not detected in at least one of the acquisitionsources of the vehicle information used for determining whether thevehicle 100 is in the parking state and that the processing proceeds tostep S204 if a failure is detected in all acquisition sources of thevehicle information. In this case, the communication permissiondetermination unit 12 determines, in step S202 described below, whetherthe vehicle 100 is in the parking state based on the vehicle informationacquired from the acquisition source in which a failure is not detected.

In step S202, the communication permission determination unit 12determines whether the vehicle 100 is in the parking state as in stepS101 in the first embodiment. If it is determined that the vehicle 100is in the parking state, the processing of the communication permissiondetermination unit 12 proceeds to step S203. If it is determined thatthe vehicle 100 is not in the parking state, the processing of thecommunication permission determination unit 12 proceeds to step S204.

The communication permission determination unit 12 determines that thevehicle 100 is in the parking state if any of conditions (1) to (4)described above is satisfied as in the first embodiment.

In step S203, the communication permission determination unit 12inhibits the relay (transfer) of a communication frame from the externalapparatus 25 to the in-vehicle LAN 30 or from the in-vehicle LAN 30 tothe external apparatus 25. In response, the gateway unit 11 discards thecommunication frame.

On the other hand, in step S204, the communication permissiondetermination unit 12 permits the relay (transfer) of a communicationframe from the external apparatus 25 to the in-vehicle LAN 30 or fromthe in-vehicle LAN 30 to the external apparatus 25. In response, thegateway unit 11 relays (transfers) the communication frame.

The determination processing in step S201 and step S202 may be performedin reverse order.

The following describes the method for determining, in step S201,whether a failure is detected in the acquisition sources of the vehicleinformation used for determining whether the vehicle 100 is in theparking state. In this embodiment, the vehicle information fordetermining whether the vehicle 100 is in the parking state includes thecaution state signal, warning state signal, parking state signal, andthe smart key detection state signal. The acquisition sources of thesesignals are the ECUs 40B, 40C, and 40D.

FIG. 4 is a flowchart showing an example of the failure determinationprocessing performed by the in-vehicle communication system 1 (gatewayECU 10) for the acquisition sources (ECUs 40B to 40D) of the vehicleinformation. This flowchart is executed for each of the ECUs 40B to 40Deach time the condition for permitting communication is established(each time the communication is permitted) for acquiring each piece ofvehicle information (caution state signal, warning state signal, parkingstate signal, and the smart key detection state signal) that is sentfrom the ECUs 40B to 40D.

In step S301, the gateway ECU 10 starts internal timer counting.

In step S302, the gateway ECU 10 determines whether the communication ispermitted. If the communication is permitted, the processing proceeds tostep S303. If the communication is not permitted, the current processingis terminated.

In step S303, the gateway ECU 10 determines whether a communicationframe is received. If a communication frame is received, the processingof the gateway ECU 10 returns to step S301. If a communication frame isnot received, the processing proceeds to step S304.

In step S304, the gateway ECU 10 determines whether a predetermined timehas elapsed. If the predetermined time has elapsed, the processing ofthe gateway ECU 10 proceeds to step S305. If the predetermined time hasnot yet elapsed, the processing returns to step S302.

The predetermined time is set to a value larger than the maximum valueof the assumed frame reception interval in the communication in whichthe gateway ECU 10 acquires the vehicle information (caution statesignal, warning state signal, parking state signal, and the smart keydetection state signal) from the ECUs 40B to 40D.

In step S305, the communication permission determination unit 12determines that a failure is detected and terminates the currentprocessing.

In the example described above, the gateway ECU 10 monitors the framereception interval in the communication in which the vehicle information(caution state signal, warning state signal, parking state signal, andthe smart key detection state signal) is acquired from the ECUs 40B to40D. If the elapsed time during which a frame is not received from theECUs 40B to 40D exceeds the assumed reception interval, the gateway ECU10 determines that a failure is detected.

The method for determining whether a failure is detected in the ECUs 40Bto 40D is not limited to the example described above but any method maybe used. For example, if a connection confirmation request is sent tothe ECU 40B to 40D but no response to the connection confirmationrequest is received, the gateway ECU 10 may determine that a failure isdetected in the ECUs 40B to 40D.

In this embodiment, the gateway ECU 10 acquires the vehicle information,used for determining whether the vehicle 100 is in the parking state,from the ECUs 40B to 40D via the in-vehicle LAN 30. Instead of this, itis supposed that, in some cases, the vehicle information is acquiredfrom a sensor (for example, the door courtesy switch that detects thedoor open/close state) connected via a directly connected line. Todetect a failure in a sensor connected via a directly connected line inthis manner, it is possible to determine that a failure is detected inthe sensor, for example, if the signal, corresponding to the IG-OFFstate, is received from the sensor in the IG-ON state.

As described above, at least if it is determined that the vehicle 100 isin the parking state, the in-vehicle communication system 1 in thisembodiment inhibits the relay (transfer) of a communication framebetween the external apparatus 25 and the in-vehicle LAN 30 as in thefirst embodiment. This reliably prevents a malicious third party frommaking unauthorized access to the in-vehicle LAN 30 (each ECU 40 in thein-vehicle LAN 30).

On the other hand, if it is determined that an abnormality (failure) isdetected in the acquisition source of the vehicle information used fordetermining whether the vehicle 100 is in the parking state, thein-vehicle communication system 1 in this embodiment permits the relay(transfer) of a communication frame between the external apparatus 25and the in-vehicle LAN 30. This solves an inconvenience that is causedwhen an abnormality is generated in the acquisition source of thevehicle information used for determining whether the vehicle 100 is inthe parking state.

That is, if a failure is detected in the acquisition sources (ECUs 40Bto 40D) of the vehicle information used for determining whether thevehicle 100 is in the parking state, there is a possibility that thevehicle information (caution state signal, warning state signal, parkingstate signal, and the smart key detection state signal) to be sentbecomes incorrect information. In such a case, the vehicle 100, thoughnot actually in the parking state, is determined to be in the parking,sometimes resulting in a situation in which diagnostic communicationcannot be carried out when there is a need for diagnostic communicationbetween the external apparatus 25 and the in-vehicle LAN 30. To addressthis problem, if it is determined that an abnormality (failure) isdetected in the acquisition sources of the vehicle information used fordetermining whether the vehicle 100 is in the parking state, thein-vehicle communication system 1 in this embodiment permits the relay(transfer) of a communication frame between the external apparatus 25and the in-vehicle LAN 30. This method can solve such an inconvenience.

Third Embodiment

Next, a third embodiment is described below.

An in-vehicle communication system 1 in this embodiment differs from thein-vehicle communication system 1 in the first and second embodiments inthat the permission of communication between the external apparatus 25and the in-vehicle LAN 30 (each ECU 40 in the in-vehicle LAN 30) isdetermined considering the importance of information that may betransferred from the in-vehicle LAN 30 to the external apparatus 25. TheECU 40 corresponds to an internal apparatus of the invention. Thefollowing describes this embodiment with emphasis on the description ofthe elements different from those in the first and second embodiments,using the same reference numeral to denote the same element in the firstand second embodiments.

The configuration of the in-vehicle communication system 1 in thisembodiment is shown in FIG. 1 as in the first and second embodimentsand, therefore, the description is omitted.

FIG. 5 is a flowchart showing an example of communication permissiondetermination processing performed by the in-vehicle communicationsystem 1 (gateway ECU 10) in this embodiment. This flow is executed eachtime either a communication frame from the external apparatus 25 to thein-vehicle LAN 30 or a communication frame from each ECU 40 in thein-vehicle LAN 30 to the external apparatus 25 is input to the gatewayECU 10.

In step S401, as in step S201 in the second embodiment, thecommunication permission determination unit 12 determines whether afailure is detected in the acquisition source of the vehicle informationthat is used in step S402 described below to determine whether thevehicle 100 is in the parking state. If it is determined that a failureis not detected in the acquisition source of the vehicle information,the processing of the communication permission determination unit 12proceeds to step S402. If it is determined that a failure is detected inthe acquisition source of the vehicle information, the processing of thecommunication permission determination unit 12 proceeds to step S405.

In this embodiment as in the second embodiment, if a failure is detectedin none of the acquisition sources of the vehicle information used fordetermining whether the vehicle 100 is in the parking state, theprocessing proceeds to step S402. If a failure is detected in at leastone of the acquisition sources of the vehicle information, theprocessing proceeds to step S405. However, it is also possible that theprocessing proceeds to step S402 if a failure is not detected in atleast one of the acquisition sources of the vehicle information used fordetermining whether the vehicle 100 is in the parking state and that theprocessing proceeds to step S405 if a failure is detected in allacquisition sources of the vehicle information. In this case, thecommunication permission determination unit 12 determines, in step S402described below, whether the vehicle 100 is in the parking state basedon the vehicle information acquired from the acquisition source in whicha failure is not detected.

In step S402, the communication permission determination unit 12determines whether the vehicle 100 is in the parking state as in stepS202 in the second embodiment. If it is determined that the vehicle 100is in the parking state, the processing of the communication permissiondetermination unit 12 proceeds to step S403. If it is determined thatthe vehicle 100 is not in the parking state, the processing of thecommunication permission determination unit 12 proceeds to step S405.

The communication permission determination unit 12 determines that thevehicle 100 is in the parking state if any of conditions (1) to (4)described above is satisfied as in the first and second embodiments.

In step S403, the communication permission determination unit 12determines the importance level of the information stored in an ECU 40in the in-vehicle LAN 30 that is the sending source or the sendingdestination of a communication frame. If it is determined that theimportance level of the information stored in the ECU 40 is high, theprocessing of the communication permission determination unit 12proceeds to step S404. If it is determined that the importance level ofthe information stored in the ECU 40 is low, the processing of thecommunication permission determination unit 12 proceeds to step S405.

The information, which is stored in each ECU 40 and the importance levelof which is high, is the information that, if rewritten by a maliciousthird party, will have a very significant influence. A specific exampleis the program information on the condition, stored in the ECU 40D, forreleasing the security caution state. The information, which is storedin each ECU 40 and the importance level of which is low, is theinformation that, if rewritten by a malicious third party, will notgenerate a problem or the information that is indicated by the meters inthe passenger space. A specific example is the fuel consumptioninformation (engine rotation speed and the fuel injection amount).

In step S404, the communication permission determination unit 12inhibits the relay (transfer) of a communication frame from the externalapparatus 25 to the in-vehicle LAN 30 or from the in-vehicle LAN 30 tothe external apparatus 25. In response, the gateway unit 11 discards thecommunication frame.

On the other hand, in step S405, the communication permissiondetermination unit 12 permits the relay (transfer) of a communicationframe from the external apparatus 25 to the in-vehicle LAN 30 or fromthe in-vehicle LAN 30 to the external apparatus 25. In response, thegateway unit 11 relays (transfers) the communication frame.

The determination processing in step S401 to step S403 may be performedin any order.

In this embodiment, the processing in step S403 is added between stepS202 and steps S203 and S204 in the flowchart of the communicationpermission determination processing in FIG. 3 in the second embodiment.Instead of this, the processing in step S403 may be added between stepS101 and steps S102 and S103 in the flowchart of the communicationpermission determination processing in FIG. 2 in the first embodiment.

As described above, the in-vehicle communication system 1 in thisembodiment inhibits the relay (transfer) of a communication framebetween the external apparatus 25 and the in-vehicle LAN 30, as with thein-vehicle communication system 1 in the first and second embodiments,at least if it is determined that the vehicle 100 is in the parkingstate. This reliably prevents a malicious third party from makingunauthorized access to the in-vehicle LAN 30 (each ECU 40 in thein-vehicle LAN 30).

In addition, if it is determined that an abnormality (failure) isdetected in the acquisition source of the vehicle information used fordetermining whether the vehicle 100 is in the parking state, thein-vehicle communication system 1 in this embodiment permits the relay(transfer) of a communication frame between the external apparatus 25and the in-vehicle LAN 30 as in the second embodiment. This solves aninconvenience that is caused when an abnormality is generated in theacquisition source of the vehicle information used for determiningwhether the vehicle 100 is in the parking state.

In addition, the in-vehicle communication system 1 in this embodimentdetermines the importance level of the information stored in each ECU 40in the in-vehicle LAN 30 and, at the same time, permits communicationbetween an ECU 40, which is one of the ECUs 40 in the in-vehicle LAN 30and does not include high importance level information, and the externalapparatus 25. For example, the in-vehicle communication system 1 in thisembodiment permits communication between the ECU 40A, which stores thefuel consumption information, and the external apparatus 25 regardlessof whether the vehicle 100 is in the parking state. This allows lowimportance level information (for example, fuel consumption information)to be sent from the ECU 40 in the in-vehicle LAN 30 to the externalapparatus 25 regardless of whether the 100 is in the parking state, thusincreasing convenience in acquiring the self-diagnostic informationusing the in-vehicle communication system 1. One exemplary use of thisability is that, with the external apparatus 25 kept connected to theexternal bus 20 during night time (while the gateway ECU 10 is parked),the fuel consumption information on the latest trip of the vehicle 100is acquired and stored in the external apparatus 25 in advance so thatthe fuel consumption information, acquired by the external apparatus 25,can be immediately referenced the next day.

While the embodiments of the present invention have been described indetail, it is to be understood that the present invention is not limitedto the specific embodiments above but that various modifications andchanges may be added within the scope of the present invention describedin claims.

For example, though an example of diagnostic communication carried outbetween the external apparatus 25 and the in-vehicle LAN 30 is describedin the embodiments above, the contents of the embodiments above may beapplied to an in-vehicle communication system in which the externalapparatus and the in-vehicle LAN carry out communication in any mode.Such a system will perform a similar operation and have a similareffect.

What is claimed is:
 1. An in-vehicle communication system comprising: agateway that is configured to relay communication between an externalapparatus and an in-vehicle LAN; and a communication permissiondetermination unit that is configured to inhibit communication betweenthe external apparatus and the in-vehicle LAN through the gateway if itis determined that a vehicle having the in-vehicle LAN mounted thereinis in a parking state based on acquired predetermined vehicleinformation.
 2. The in-vehicle communication system according to claim1, wherein: the communication permission determination unit determineswhether an abnormality is detected in an acquisition source of thepredetermined vehicle information; and if it is determined that anabnormality is detected in the acquisition source, the communicationpermission determination unit permits communication between the externalapparatus and the in-vehicle LAN through the gateway.
 3. The in-vehiclecommunication system according to claim 2, wherein the communicationpermission determination unit determines the abnormality is detected inthe acquisition source when a time during which the vehicle informationis not received in a communication in which the gateway acquires thevehicle information exceeds a predetermined time.
 4. The in-vehiclecommunication system according to claim 1, wherein: the communicationpermission determination unit determines an importance level ofinformation stored in apparatuses included in the in-vehicle LAN; andthe communication permission determination unit permits communicationbetween an internal apparatus and the external apparatus, the internalapparatus being one of the internal apparatuses included in thein-vehicle LAN, the internal apparatus not including information theimportance level of which is determined high.
 5. The in-vehiclecommunication system according to claim 1, wherein the communicationpermission determination unit determines that the vehicle is in theparking state if at least one of conditions is satisfied, the conditionsincluding a condition in which the vehicle is in a security cautionstate, a condition in which the vehicle is in a security warning state,a condition in which all doors of the vehicle are closed and lockedthrough a wireless key operation or a smart key operation, and acondition in which a smart key is not present in a passenger space ofthe vehicle.